PRIVACY

Privacy Policy (lexo në Shqip)

Hoxha, Memi & Hoxha (“we”, “us” or “controller”) is a firm offering professional consultancy in the fields of law, economics, business administration and other similar or related fields (the “Services”). We are committed to protecting the privacy and security of personal data.

This privacy policy (the “Policy”) explains how we collect, store and use (jointly “Processing”) personal data concerning individuals (“you”, “your”, “client” or “data subject”) in compliance with applicable data protection laws including the Albanian Law no. 124/2024 “On the Protection of Personal Data”, as it may be amended from time to time (the “Data Protection Act” or "DPA").

This Policy is intended to assist you in making informed decisions when using our website https://www.hmh.al (the “Site”) and when you contact us with requests or clarifications, as well to understand how your personal data is be processed in these instanced or in connection to the provision of our Services. It also informs you on how we process recordings of our closed circuit (“CCTV”) system.

This Policy additionally explains your rights in relation to your personal data and how to contact us or the supervisory authority if you wish to exercise your rights or you have a complaint.

CONTROLLER

The party responsible for the processing of personal data in accordance with this Policy is:

Name: Hoxha, Memi & Hoxha (HM&H) Shpk.

NUIS: K82223011U

Address: Rr. Abdi Toptani, Torre Drin, 4th floor, Municipality Unit no. 2, Tirana, Albania

Email: info@hmh.al

If you have any questions or need clarifications about this Privacy, please contact us by sending an email as above.

SCOPE

This Policy applies to the processing of personal data of data subjects, in the context of the following processing activities:

Processing of personal data in the context of providing our Services.
Processing of recordings in the context of the use of our CCTV system.
Processing of personal data in the context of the use of our Site.

Please note that this Policy does not cover employment or recruitment-related activities, including job applications, work experience placements, or internships. When you apply for a such a position with us, we will provide separate privacy notices specific to each recruitment opportunity. These other notices will explain how we handle applicant data during the recruiting process.

If you submit an unsolicited application (one that is not related to a posted vacancy), please be aware that we will not process or retain your data. Such applications fall outside our standard recruitment procedures.

PERSONAL DATA

Personal data is information about data subjects (natural persons) whose identity is determined (e.g. name) or at least determinable through one or more identifiers (e.g. name, date of birth, place of birth, e-mail address etc.).

CCTV recordings often contain images of individuals. As this information can be used to identify these individuals, either directly or indirectly, in combination with other pieces of information, it qualifies as personal data.

Data Collection

If you as a client are an individual, and/or when you visit our premises or use our Site, we will primarily collect your personal data directly from you.

However, as our pool of clients is primarily composed of corporate entities, and those clients are not data subjects, your personal data may be provided to us in connection to the provision of our Services – this might include personal information of officers, personnel, customers or any opponent or contractor of our current or prospective clients, including personal information relating to their legal advisors, other advisors or personnel.

If you are an individual whose personal information is processed by us as a result of providing the Services to others, we will only process your personal data that is relevant and necessary to the Services provided, depending on the circumstances of the matter at hand.

As such, third-party sources of personal data may include:

Public sources: Business registries, land registries, regulatory bodies, and other publicly accessible databases.
Your representatives: your organization, legal representatives, or authorized agents.
Service providers: your bank, employer, consultants, accountants, notaries or other professionals involved in a matter.
Third-party correspondence: Communications we receive from others regarding you or your matters.

When we collect personal data directly from you, it is your decision whether to provide data or not. If you choose not to provide requested personal data, this may limit or prevent us from providing our Services to you, affect our ability to maintain contact with you, prevent us from entering into contracts or agreements with you, or impact our ability to ensure the exercise your rights.

If you share with us personal data of other data subjects, you must ensure that you have the legal right to provide that data and that you comply with all applicable data protection obligations. Moreover, it is your reasonability to inform these other data subjects that you are sharing their data with us and that their data will be processed in accordance this Policy.

To protect your rights, a number of elements have been taken into account in relation to the collection of data through the CCTV system.

These elements include:

careful assessment of the areas selected for surveillance and the positioning of the cameras;
the cameras are visible and positioned in such a way as to ensure that they only monitor the intended surveillance areas (such as entrance, emergency exits hallways, and technical rooms);
notice boards are displayed prominently in the surveillance areas, so that everyone is aware that they are entering an environment covered by the camera;
the CCTV system does not intrude on the private sphere of individuals, which means that the surveillance areas will not include toilets or other similar environments; the cameras will not directly monitor workplaces.

Categories of Data Subjects

The category of individuals whose data we might process under this Policy usually includes, but is not limited to the following. This is a non-exhaustive list which is reflective of the varied nature of the personal information processed as part of a firm providing professional services.

Clients: current and former clients of our Services.
Related parties: family members, associates, or other individuals connected to our clients whose information is necessary for the provision of our Services.
Legal or appointed representatives: liquidators, bankruptcy administrators, and similar roles and/or personal appointed representatives acting on behalf of others.
Corporate officers: directors, officers, employees, owners, beneficial owners, and persons with significant control.
Professional advisors: attorneys, notaries, auditors, accountants, translators, and other professional consultants of the client or of other parties involved in a matter relevant to the Services we provide.
Other persons: other persons not listed above, who use our Site or contact us with questions and/or inquiries.

Categories of Personal Data

We may collect a variety of personal data in the course of the performance of our Services, including through your use of our Site, when you contact or request information from us. Depending on our relationship with you and the legal basis for processing, we may collect the following categories of personal data:

Identification details: title, name, surname, gender, nationality, date and place of birth, identity document numbers, personal identification numbers, and other official identifiers.
Contact details: postal addresses, telephone numbers, and email addresses, professional contact details and social media profiles.
Information and documents: copies of identification documents (e.g. passport, national ID card,), signature samples and signed documents (personal or on behalf of an organization), and other information and documents required to verify your identity and/or that are relevant and necessary for the provision of our Services.
Financial details: bank account details and tax information, source of funds documentation, know your client and/or anti-money laundering documentation when the processing of such data is relevant or necessary for the performance of our Services.
Family details: information about your spouse, partner, dependents, family members, or caregivers, when the processing of such data is relevant or necessary for the performance of our Services.
Employment details: employment history, salary, and benefits, performance records, disciplinary matters, grievances, and other employment related information, when the processing of such data is relevant or necessary for the performance of our Services.
Immigration details: immigration status and related documentation, when the processing of such data is relevant or necessary for the performance of our Services.
Sensitive data: health information, including disabilities, ethnicity, race, or religious beliefs, trade union membership, etc.; these details are collected and processed only when they are necessary and relevant for the performance of our Services and subject to the appropriate legal basis and safeguards.
Criminal data: information about criminal convictions or offences; these details are collected and processed only when they are necessary and relevant for the performance of our Services and subject to the appropriate legal basis and safeguards.
Other relevant data: CCTV recordings of visitors to our premises, as well as any additional personal data necessary for client matters or business operations.

We collect only the personal data that is strictly necessary and relevant to your relationship with us and the specific Services we provide. The categories of data we process will vary depending on the nature of our engagement with you.

LEGAL BASIS

We process your personal data only when permitted by applicable law and solely for the purposes for which it was collected. The legal basis we rely on depends on the nature of our relationship with you and the specific processing activity. Some of the grounds for processing can overlap and there may be several grounds which justify our use of your personal data.

We primarily process personal data on the following basis:

Performance of a contract - Article 7(1)(b) of the DPA

We may process your personal data to enter into or perform our contract with you for the provision of our Services. This includes:

Evaluating whether or not to accept your engagement.
Providing the Services you have requested.
Managing our ongoing relationship with you.

Legitimate Interests – Article 7(1)(dh) of the DPA

We may process your personal data to pursue our legitimate business or a third party's legitimate interest (e.g. to ensure that we provide our Services to the best interest of our client), provided your rights and freedoms do not override these interests. This includes:

In connection with the provision of our Services, when your data is received from third-party sources as above.
Maintaining business and institutional relationships.
Developing our business activities.
Establishing, exercising, or defending legal claims.
Controlling the access in our premises and protection of our property.
Sending you direct marketing communications, newsletters, and including you in legal publications (you can opt out at any time)

Legal Obligation – Article 7(1)(c) of the DPA

We may process your personal data when we are required to comply with a legal or regulatory obligation to which we are subject, including, without limitation:

Tax law requirements.
Professional regulatory obligations governing our activities (e.g. Bar rules).
Court orders or requests from competent public authorities.
Anti-money laundering and sanctions screening requirements.

Consent – Article 7(1)(a) of the DPA

We generally do not rely on consent as our primary legal basis. However, we will request your explicit consent when:

We cannot rely on another lawful basis for processing.
We need to process personal data for purposes beyond the original purpose of the data collection.
Specific legal requirements mandate obtaining your consent.

You may withdraw your consent at any time, though this will not affect processing that occurred before the withdrawal.

PURPOSE

Provision of Services

When we process personal data of our clients and/or data of other data subjects received received from third-party sources, in connection with our Services, we use it for the following purposes:

Client On-boarding and Compliance

Conducting identity verification, due diligence and conflict of interest checks.
Performing anti-money laundering checks and sanctions screening.
Completing other regulatory compliance and on-boarding procedures.

Service Delivery

Providing tailored legal advice and services.
Communicating via email, telephone, and means.
Coordinating with counter-parties and third-party service providers (such as notaries, translators, experts, and other professional consultants)

Relationship Management

Managing ongoing client relationship.
Assessing or responding to inquiries or claims.
Enforcing our agreements, protecting our rights,
Identifying opportunities to improve and develop our Services.

Financial Administration

Processing billing and payments.
Maintaining financial records and accounts.
Collection of due and overdue fees.

Regulatory Compliance

Fulfilling our professional and regulatory obligations.
Responding to requests from regulatory authorities and oversight bodies.

When we process personal data collected from or on behalf of our clients, we do so subject to obligations of client confidentiality, legal professional privilege protections and the terms of our engagement letter and service agreement with you. These protections ensure your information is handled with the highest standards of professional care and confidentiality.

Visitors

If you visit our premises, we may collect the personal data that might be necessary to identify you, and your image on our CCTV system. We process such data the following purposes:

control the access in our premises and to ensure a quiet, safe and monitored, environment for staff and visitors.
protect our property from theft, damage or illegal actions, monitoring occurrences on our premises, protect our rights, including to establish, exercise or defend legal claims in front of courts or public authorities, according to the law.
prevent and/or to mitigate the consequences of any illegal activity in our premises, including to report such activities to the competent law enforcement authorities, as well as to preserve evidence complying with the applicable legal obligations.

People who contact us

When we are contacted via our Site contact form, other otherwise contact us with inquiries and/or requests, we may collect contact details and the content of your enquiry or message, and other information you choose to share with us. The processing of the personal data in these circumstances is made for the following purposes:

Respond to your enquiry or request.
Receive and manage any information, documents, or data you provide.
Keep track of previous communications.
Assess whether we can assist with your matter.

Other cases

We may additionally process personal data for the following purposes:

improve, develop and market new Services.
as otherwise required or permitted by law.

RECIPIENTS AND TRANSFER

The personal data we hold about you may be shared with other recipients as follows. Sharing your personal data will be appropriately justified on the basis of our legitimate interest, legal obligation or to execute your order and instruction.

Internal recipients

To fulfil the purposes outlined in this Policy, your personal data may be accessible by or shared with internal parties within or connected to our organization, including:

Our employees and associated lawyers.
Accountants and tax advisors at HM&H Business.
Other staff members or collaborators who need access to the data to provide our Services.

All internal parties who have access to your personal data are bound to confidentiality obligations in accordance with the applicable law. This ensures your information is handled with appropriate care and security.

External parties

In connection with the provision of our Services, your personal data may be additionally shared with third parties outside our organisation, including, without limitation:

Professionals: Auditors, accountants, tax advisors, appraisers, arbitrators, mediator, notaries, translators, and other consultants or service providers.
Legal counter-parties: client’s opposing party and their legal representatives and counsels, when relevant and necessary for the matter we are following.
Financial institutions: banks, financial institutions, payment processors, or insurance companies in the event of an insured claim or incident, etc.
Public institutions: courts, prosecutors, law enforcement authorities, land registries, business registries, and other official databases.
Service providers: providers that host our systems, provide software, or support our technology infrastructure.
Legal publication directories: for the purpose of our ranking in legal directories, we may share limited data (such as name, job description and email address) as referee contact for a specific client matter. We will inform you if we share your data this way and you can opt out at any time.

With respect to external parties, we will only share the part of the data that is relevant and necessary to be shared for the purpose.

We will make sure that before your data is shared, these external parties, according to the circumstances, are informed on the confidentiality terms you have instructed us to require and/or take appropriate safeguards for the protection of your data.

Required disclosures

Based on a legal obligation applicable to us, we may be also required to share personal data we have about you to the authorities and other public bodies, including:

Tax authorities.
Law enforcement agencies.
Prosecutors and courts.
Other regulatory or government bodies.

When we are required to comply with a similar disclosure obligation, we will do so only to the extent that is strictly necessary as required by law, and inform you reasonably in advance, unless a prior notice of a required disclosure is prohibited by law or by the applicable order of disclosure.

Other cases

We do not sell your personal data. The personal data being processed will not be subject to automated decision-making and/or profiling.

International Transfers

The personal data is processed in Albania. Technical communication data, such as email or website, stored in servers of third-party communication providers, which are protected under the respective privacy terms of such third-party providers.

As a rule, the personal data we hold about you will be shard only with recipients located in jurisdictions that guarantee an adequate level of protection, with respect to which there in an adequacy decision in accordance with Article 40 of the DPA. If we need to share your data with recipients located in other jurisdictions, we will ensure that the transfer is made in compliance with the conditions for international transfers, as set forth under the DPA.

RETENTION PERIODS

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. The data will be deleted when they are no longer necessary to be retained for the intended purposes. or another mandatory period is required.

Standard retention periods

The standard retention period for personal data processed in connection to the provision of our Services to clients, is for the duration of our contractual relationship. After the termination of the contractual relationship, we will retain for the applicable legal retention period the part of the personal data that is required to be retained by law.

The standard retention period for CCTV footage is up to 30 days, and thereafter will be deleted, unless we are legally required to retain it for longer (e.g. to deal with specific circumstances mentioned below).

The standard retention period for the personal data you provide us when you contact us regarding a request, will be stored for the period necessary to handle your request and further for a period of not more than 3 months, so that we can respond appropriately to subsequent inquiries. Your data will then be deleted when it is no longer necessary to retain it for the intended purposes. Regarding the cookie storage period, see the relevant section below.

Legal retention period

The applicable legal retention periods are as follows:

5 years - for information and documents related to taxation (under the Tax Procedures Act)
5 years - for anti-money laundering data and documentation (under the Act on the prevention of money laundering and the financing of terrorism)
10 years - for financial and accounting information and documents (under the Accounting and Financial Statements Act).

Specific circumstances

In specific circumstances, we may retain certain data beyond the applicable periods, in order to manage or defend legal disputes, deal with incidents or investigations, comply with mandatory legal requirements and/or address regulatory investigations. When such an extended retention period is necessary, we will identify and retain only the specific data elements required, keep the data for the shortest period possible and comply with statutory limitation periods for legal claims.

CONFIDENTIALITY AND SECURITY

The security of your personal data is very important for us. The personal data we hold is stored both electronically and in hard copy.

To protect your data, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected, we adopt technical and organisational measures to ensure an appropriate level of security and to avoid circumstances that may lead to possible alterations, loss, destruction or unauthorized access, including breach of confidentiality.

All internal and external parties who, for the purposes listed under this Policy, receive access from us to the personal data, are obliged to respect the confidentiality of such personal data.

SITE AND COOKIES

Our Site generally stores technical data of visitors in aggregated, non-precise geolocation data (city/country) and other metrics and focuses on anonymized, aggregated data for general traffic insights.

IP addresses for essential functions, the IP address of users may become visible in relation to the cookie consent log function.

To make our website work properly, we place small data files called cookies on your device.

What are cookies

Cookies are small pieces of data stored on a browser. They are typically used to keep track of the settings users have selected and actions they have taken on a site. Cookies may be used for important reasons, such as:

To provide a useful experience for site visitors.
To identify registered members (users who registered to a site).
To monitor and analyze the performance, operation and effectiveness of the site.
To ensure the site is secure and safe to use.

Cookies may be categorized based on origin, as:

First party cookies: these are cookies set by the website you are visiting; these are typically used by the website to remember your preferences, login status and other data for a smoother, personalized user experience on that specific site. Only that website can read first party cookies.
Third party cookies: these are cookies that a website allows to be set from a domain different from the website you're visiting; these are typically used by advertisers and marketers to track browsing activity across multiple sites for personalized ads, content, and analytic.

Cookies may be also categorized based on their function, as:

Persistent cookies: these are cookies saved on your computer and that are not deleted automatically when you quit your browser; you need to actively delete these cookies prior to the expiry of their set duration; persistent cookies have a set expiration date (days, months, or years) and are typically used to remember your login details, preferences (like language or theme), and track your browsing behaviour across sessions for personalization, analytics, and targeted advertising.
Session cookies: these cookies serve to provide a smooth, uninterrupted user experience by remembering information during a single visit (session), enabling core functions like keeping you logged in, remembering items in an e-commerce cart etc.; these are typically deleted when you quit your browser. Session cookies are generally less intrusive as they don't track you across multiple visits.

The above cookie categories (i.e. origin and function) and not exclusive and may overlap.

For more of information on what cookies are and how they interact with websites, you may visit information pages such as All About Cookies.

The following links explain how to access cookie settings in various browsers:

To opt out of being tracked by Google Analytics across all websites, visit this link: http://tools.google.com/dlpage/gaoptout.

Cookie Consent

We use a cookie banner to our site. This gives site visitors the opportunity to accept or decline non-essential cookies on our site.

Consent for cookies that you set in our consent management tool can be edited and withdrawn at any time in the same tool. If the cookie banner is no longer displayed, you will always find a small tab that includes a sign and check mark on the bottom left edge of the screen – as long as you are on our website. When you click that symbol, the consent management tool opens for your changes.

The consent management tool lists the following cookie types:

Strictly necessary (or essential) cookies: These cookies enable core functionality such as security, verification of identity and network management. These cookies can’t be disabled.

Functional cookies: These cookies collect data to remember choices users make to improve and give a more personalized experience. You might need to enable these cookies for some website features to properly work. These cookies are disabled by default. You need to actively accept the used of these cookies in our cookie banner.

Marketing cookies: These cookies are used to track advertising effectiveness to provide a more relevant service and deliver better ads to suit your interests. These cookies are disabled by default. You need to actively accept the used of these cookies in our cookie banner.

Analytics cookies: These cookies help us to understand how visitors interact with our website, discover errors and provide better overall analytics. These cookies are disabled by default. You need to actively accept the used of these cookies in our cookie banner.

Cookie Table

Our website mostly uses first-party cookies. These are cookies set and controlled by our website, not by any external organization. By default, the cookies which are placed on our website may be categorized as essential cookies.

SSR-caching: Performance cookie for rendering/24 hours/essential
XSRF-TOKEN: Cookie for fraud detection of calls/Session/essential
server-session-bind: Cookie for API protection/Session/essential
hs: Security Cookie for Hive/Session/essential
svSession: Cookie for security, stability and core site function /12 months/essential
bSession: Used for system effectiveness measurement/24 hours/essential
fedops.logger.sessionId: Tracking session errors and issues (resilience)/12 months/essential
mpaSessionId: Tracking session in Multi-Page Application (MPA)/Session/essential
client-session-bind: Cookie for API protection/Session/essential

However, considering that our platform gives us the ability to add multiple components, codes, third-party applications...and so on, our website may include other types of cookies which might require specific settings.

Moreover, to view or interact with some of our pages, you may use plugins (e.g. social media) of or be redirected to website of have from external organizations, and you might need to accept their cookies.

YOUR RIGHTS

Based on the circumstances of a processing activity, you generally have the following rights under the DPA:

the right to be informed (Article 13 of the DPA) with respect to the processing of your personal data, which is made by us pursuant to this Policy.
the right of access (Article 14 of the DPA), which, in summary, consists in the right to be provided with a of the personal data we hold about you.
the right of correction (Article 15 of the DPA), which, in summary, consists in the right to require us to correct any mistakes in or to update your personal data.
the right of erasure, including the right to be forgotten (Article 15 and 16 of the DPA), which, in summary, consists in the right to require us to delete your personal data—in certain situations.
the right of restriction (Article 17 of the DPA), which, in summary, consists in the right to restrict the processing of your personal data—in certain circumstances.
the right of portability (Article 18 of the DPA), which, in summary, consists in the right to require us to receive the personal data you provided to us, in a structured, commonly used and machine-readable format or to require us to transmit that data to another controller—in certain situations.
right to object (Article 19 of the DPA), which, in summary, consists in the right to object, in certain situations, that we continue processing activities with respect to your personal data.
right to not to be subject to automated decision-making (Article 20 of the DPA), which, in summary, consists in the right to require us not to take decisions about you, based solely on automated processing.

In case one or more contexts of processing activities identify your consent as lawful base for the relevant processing, you have the right of withdrawal (Article 8(3) of the DPA), which, in summary, consists in the right to withdraw the given consent at any time, provided that the withdrawal of the consent shall be without prejudice to the lawfulness of processing based on consent before its withdrawal.

Please also be informed that, in certain circumstances, your rights may be restricted by law in accordance with the provisions of Article 21 of the DPA.

To exercise these rights, please contact us by sending an email to: info@hmh.al.

To prevent any unauthorised access, we may ask for proof of identity before we provide any information related to the personal data.

We will not generally charge you any cost in relation to the exercise of your rights. Where your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the requested action or decide to refuse to take action based on your request.

COMPLAINTS

If you believe that the processing of your data under this Policy violates the DPA or your claims to exercise your rights have otherwise been violated in any way, you can submit a complaint to:

Albanian Data Protection Authority - the Commissioner for the Right to Information and the Protection of Personal Data

Rr. “Abdi Toptani”, Nd. 5,

Kodi postar 1001, Tirana, Albania

E-mail: info@idp.al

https://idp.al/

UPDATES

We may update at any time this Policy, including the details of one or more contexts of processing activities covered under this this Policy. These updates might be, in particular, but not necessarily, needed to comply with regulatory changes, recommendations from competent authorities or to address the changes in the processing activities we perform with respect to the personal data.

Whenever we make updates, the latest version of our Policy will be promptly posted in our website.

HM&H

PRIVACY

Privacy Policy (lexo në Shqip)

Get in touch

About

Practice

Services

Sectors

Team

News

PRIVACY

Privacy Policy (lexo në Shqip)

​

​

​

​

​